Building a resilience framework

When designing and implementing a holistic resilience framework, organisations should consider the following foundational elements:

Which internal and external facing business services and functions support the continued operations and financial stability of the organisation.

Of these internal and external facing business services and functions, which are:

  • Performed by the organisation in-house
  • Delegated to an outsourced service provider
  • Considered a critical or important business service under the Operational Resilience Guidance
  • Considered a critical or important function under DORA
  • Time critical, such that any disruption may significantly impact the organisation's ability to operate within impact tolerances
How are such services delivered and what are the interconnections and interdependencies that support continuous service delivery (paying particular attention to critical or important business services and functions).
How much accessible capital does the organisation have to meet its obligations and maintain financial stability in adverse conditions, including consideration of how liquid the organisation’s or group’s assets are, should it need to raise additional funds.

Components of a resilience framework

Kaleidoscope graphic

OPERATIONAL RISK AND BUSINESS CONTINUITY FRAMEWORK

Focus on mitigating the  risk of a single point of failure as it relates to all functions, processes and services

Examples of related documents

  • Business continuity plan
  • Disaster recovery & crisis management plan
  • Communication call tree
Kaleidoscope graphic

OPERATIONAL RESILIENCE FRAMEWORK

Focus on minimising the disruption caused by a single point of failure on the end-to-end delivery of an external facing business service

Examples of related documents

  • Business service inventory & mapping
  • Business Impact Assessments (“BIA”), Impact Tolerances, Recovery Point Objectives (“RPO”) and Recovery Time Objectives (“RTO”)
  • Incident management plans
  • Communication plans
Kaleidoscope graphic

THIRD PARTY RISK MANAGEMENT FRAMEWORK

Focus on managing the risks arising from the use of both external third-party and intragroup service providers in the delivery of business services

Examples of related documents

  • Contracts & service level agreements
  • Third-party service provider exit strategy & plans
  • Outsourcing register
Kaleidoscope graphic

ICT RISK MANAGEMENT FRAMEWORK

Focus on managing ICT risk and ICT-related incidents as it relates to both internal and external facing business functions

Examples of related documents

  • ICT business continuity plans
  • Response & recovery plan
  • Crisis communication plans
  • ICT-related incident management & reporting
  • Digital operational resilience testing
  • Register of information
Kaleidoscope graphic

FINANCIAL RESILIENCE FRAMEWORK

Focus on ensuring minimum capital and liquidity requirements are maintained

Examples of related documents

  • Budgets & financial forecasts
  • Liquidity stress testing policy
  • Contingency funding plan
  • Recovery and resolution plans
  • Internal Capital Adequacy Assessment Process and Internal Liquidity Adequacy Assessment Process (ICAAP / ILAAP)
Kaleidoscope graphic

GOVERNANCE AND INTERNAL CONTROL FRAMEWORK

Focus on ensuring clear roles and responsibilities are assigned, that individuals throughout the organisation take appropriate measures to manage and mitigate resilience risk, and that the culture of the organisation promotes a resilience mindset

Examples of related documents

  • Organisational charts
  • Job descriptions & reasonable steps documents
  • Management responsibilities maps
  • Training materials

Key areas of focus

Having applied the regulatory view of resilience, organisations should reassess their operational landscape to identify additional services that warrant inclusion in their resilience framework planning.

This includes mapping all stakeholders to support the identification of external and internal end-users.

Tip: Evaluate each revenue stream, including monies received under intragroup transfer pricing arrangements, to identify ‘who’ is paying for ‘what’.

Given the distinct regulatory scopes, the list of critical or important business services identified by an organisation under the cross industry guidance on operational resilience is unlikely to match an organisation's list of critical or important functions under DORA.

The operational resilience guidance requires organisations to focus only on those external facing business services which are provided to ‘external end users’ and must be distinguishable from business lines or functions that are a collection of services and activities. Other regulations, including DORA, require organisations to identify both their internal and external critical or important functions, being those which could impact the organisation's:

  • Financial performance
  • Soundness or continuity of its services and activities
  • Ability to comply with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law

What does that mean for organisations seeking to identify both their business services and functions?

  • Organisations should adopt both top-down and bottom-up methodologies to identify business services and functions, considering licensed activities and daily operational tasks. Each business service or function must be mapped to its contributing resources and assessed for criticality and interdependence
  • Ancillary services provided to external end-users or shared services within group structures should also be evaluated and incorporated into the organisation’s operational resilience planning where appropriate

Many Irish regulated organisations operate under a delegated model where one or more of their core activities is performed by a suitable qualified and authorised third-party provider. For this reason, the management and oversight of third-party arrangements and the risks arising is fundamental to operational resilience.

When designing and implementing an organisation's third-party risk management framework, organisations should consider the following to help ensure resilience by design:

  • Alignment with the organisation’s third-party engagement strategy
  • Pre-engagement due diligence on service standards, governance, regulatory status, and group affiliations
  • Contractual provisions ensuring restoration of services in accordance with RTOs, RPOs, and impact tolerances
  • Ongoing monitoring of business continuity, disaster recovery, and incident response plans
  • Evaluation of proposed service delivery changes and their impact on resilience
  • Designation of qualified personnel to manage third-party and ICT-related risks
  • Defined criteria for triggering exit plans and contingency measures, including reintegration or substitution of service providers

The Central Bank's Financial Stability Review highlights Ireland's exposure to global financial risks, including:

  • Geopolitical tensions and trade policy shifts
  • Volatility in global financial markets
  • Sector-specific risks (e.g. pharmaceuticals and ICT)
  • Liquidity pressures in non-bank financial institutions
  • Climate and cyber-related shocks

To ensure financial resilience by design, organisations should consider:

DIVERSIFICATION

Concentration risk arises from excessive exposure to a single counterparty, sector, region, or asset class. Organisations must monitor and manage:

  • Counterparty concentration
  • Sectoral concentration
  • Geographic concentration
  • Product or asset concentration

BUDGETING AND BUFFERS

Resilience events may incur costs exceeding those of typical operational errors. Organisations may be restricted from accessing minimum capital reserves during such events. Accordingly, organisations should leverage ICAAP and ILAAP methodologies to quantify financial buffers and ensure adequate contingency reserves.

Proactive monitoring of financial sustainability and liquidity is essential to safeguard long-term viability and crisis management capabilities.

RISK TRANSFER

For low-probability, high-impact risks, organisations should consider transferring or sharing risk through insurance arrangements. Cyber insurance is increasingly adopted to mitigate financial exposure from cyber incidents.

Find out more about:

Governance and Consulting Services

Briefings, Insights and Podcasts

Arthur Cox Resilience series

Review our cookie policy

Review your cookie settings